20 CIS Controls: Control 13 – Data Protection

Today, I will be going over Control 13 from version 7 of the top 20 CIS Controls – Data Protection. I will go through the nine requirements and offer my thoughts on what I’ve found.

Key Takeaways for Control 13

A wide array of difficulty. Some of these recommendations can be considered quick wins, such as blocking access to cloud storage providers. Others such as creating an inventory of sensitive information can be a never-ending process. This is one of the more difficult controls to fully implement and for good reason. Protecting data is the primary goal of everyone in information security.

Rely on hardening standards. Both CIS and DISA have hardening guidelines for mobile devices. These guidelines have recommendations on encrypting the drive as well as locking down USB access.

Look to control 6. DLP can be expensive to roll out. By collecting audit logs across devices, you can achieve some level of insight into data exfiltration of sensitive data with existing tools. Tag the assets with sensitive data and monitor those more carefully. Leverage baselines for both network and file data so anything suspicious can quickly be flagged.

Requirement Listing for Control 13

1. Maintain an Inventory of Sensitive Information

Description: Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization’s technology systems including those located onsite or at a remote service provider.

Notes: Creating an initial list of where sensitive information is stored can be simple enough. The difficult task comes with maintaining the list and continually hunting for that data. This requirement is important since it will feed many requirements both for this Control as well as control 14.

Description: Remove sensitive data or systems not regularly accessed by the organization from the network. These systems shall only be used as stand-alone systems (disconnected from the network) by the business unit needing to occasionally use the system or completely virtualized and powered off until needed.

Notes: One of the reasons it is important to continually update the list of where sensitive information is stored (previous requirement) is that in some cases it will need to be removed. Having sensitive information in a powered-off virtual machine still caries risk since the virtual machine file can still be stolen. Ensure the proper virtualization monitoring tools are in place to both harden and monitor the virtual infrastructure.

3. Monitor and Block Unauthorized Network Traffic

Description: Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals.

Notes: This is data loss prevention in a nutshell. Even though there are great tools at your disposal which can specialize in DLP, classifying the data to begin with will help reduce the loss rate of sensitive data.

4. Only Allow Access to Authorized Cloud Storage or Email Providers

Notes: There is much less visibility into third party cloud/email providers than there is for internally owned assets. Because of this, it’s important to at least have a policy to prohibit access to these providers. The next step is to block access to them entirely at the network perimeter.

5. Monitor and Detect Any Unauthorized Use of Encryption

Description: Monitor all traffic leaving the organization and detect any unauthorized use of encryption.

Notes: For the same reason that encryption is used for legitimate services, hackers will use encryption to hide what data is being stolen. This helps them evade detection to reach their ultimate goal. Not only look for anomalous encryption on the network but also for computer generated domain names.

6. Encrypt the Hard Drive of All Mobile Devices

Notes: Even well-intending users lose a laptop or phone from time to time. Make sure the encryption is configured properly to prevent attacks against stealing decryption keys from memory when the system is in hibernation or sleep mode.

7. Manage USB Devices

Description If USB storage devices are required, enterprise software should be used that can configure systems to allow the use of specific devices. An inventory of such devices should be maintained.

Notes: USB input devices are pretty much standard these days, or maybe I am dating myself by thinking PS/2 keyboard and mice are still around. Either way, blocking mass storage devices or only whitelisting input devices can reduce the attack surface for data exfiltration.

Description: Configure systems not to write data to external removable media if there is no business need for supporting such devices.

Notes: The USB drive is more at risk of being an attack vector than a medium for data exfiltration. However, in some environments data exfiltration will be a major concern. In that case, blocking USB access completely is the best choice. If there is a business case for USB access, a per user exception can be made quite easily just by managing permissions to DLL files in Windows.

9. Encrypt Data on USB Storage Devices

Description: If USB storage devices are required, all data stored on such devices must be encrypted while at rest.

Notes: This one to me seems like it is difficult to enforce. Provide the training to employees so they are aware of the risks of data on USB drives. Then provide them with the tools to secure your organization’s critical data.